Security breach when using 2 IE screens

 6 Replies
 0 Subscribed to this topic
 15 Subscribed to this forum
Sort:
Author
Messages
andrew
Veteran Member
Posts: 100
Veteran Member

    I have noticed that if I login to portal using my own login...then open another IE window and login using my ESS login (we still use LAUA...lock down for application login and have generic security class for ESS users)...my first login session is going - but the security used is from my second login.

    For us...my security does not allow corporate access - but when I open that second IE browser window (staying logged into the first window) and login using ESS login (which, of course, has to allow corporate access so i can see my ESS info) - my first login then allows me corporate access.

    Process.

    1. open IE and login using regular username

    2. open second IE and login using ESS login

    3. go back to first window - security seems to use the security class assigned to my ESS login and Not my regular login.

     

    Windows and SQL 2005 setup, LAUA security, websphere.

    Any ideas.

    John Henley
    Posts: 3353
      This is actually a fairly common (and hotly debated) browser issue. It is rooted in how browser sessions are created, and the sharing across browser sessions of cookies used to track the user.

      My understanding is that if you use Ctrl-N from session 1 to create a new IE session 2, it is started in the same process as session 1, and therefore retains/shares the same cookies. (this sounds like the scenario you are describing.) However, if you actually launch a second instance of IE, it will maintain separate cookies.

      Which method are you using to open the second IE window? Also, which IE version? I think this was how it worked in IE6, and then it was fixed in IE7, and then IE8 reverted back to IE6 behavior, but added the -nomerge switch to act like IE7.
      Thanks for using the LawsonGuru.com forums!
      John
      andrew
      Veteran Member
      Posts: 100
      Veteran Member
        I am on 8 - believe or not my PC runs Windows 7 and the only thing to freeze up so far is IE 8 (everything else is stable - not bad mr. gates).
        Anyhow - process

        1. open browser, login to portal
        2. select file - new window
        3. this will open duplicate page....log off this window
        4. log back on (this is the second window) using ESS login
        5. go back to very first window...and there you have it...open to the world.

        I will have to test it in IE 7

        Any "quick" solution \ suggestion.?
        I was thinking of trying to put together a ESS role and start using LS9 for Ess logins (until we can get fully deployed in LS9) - would that work ? - maybe no if it is a IE cookie issue.


        By the way, john - thanks for the reply, it is appreciated.
        John Henley
        Posts: 3353
          Do a search on the -noMerge flag and see if that works for your scenario. Regardless...how this is really a security breach?
          Thanks for using the LawsonGuru.com forums!
          John
          andrew
          Veteran Member
          Posts: 100
          Veteran Member
            What occurs is that we have a user (accountant) login using their own login. They are secured from corporate payroll - but have HR11 access for other process levels.

            They click on file - new window in IE - it brings up duplicate window...

            they log off this windows and login to their ESS account (please note we have search box disabled for ESS.xml form)

            then when they go back to their original screen and go to HR11 - they can bring up their own information in the HR 11 screen and other HR screens they have access to.

            very strange

            GregSl
            Veteran Member
            Posts: 38
            Veteran Member
              I would work with ESS Security only, to see what an ESS account can access. ESS access has to be limited Only to the user on both HR11 and all relevant tables.
              andrew
              Veteran Member
              Posts: 100
              Veteran Member
                Lawson is pushing the issue to Microsoft and the way IE runs - parent - child relations.
                Working on cleaning up the ESS security class we have for ESS access.
                Also looking at removing the logout button in portal.